5 Recent Examples of Security Breach Incidents And What Businesses Must Learn From Them

The number and severity of cyberattacks is rising year on year, and a string of high-profile incidents over the last two years has made one thing clear: no business is safe, regardless of size or sector. In the most extreme cases, such as the 2024 NPD breach, the consequences can even close a company for good.

While no two attacks are identical, threat actors consistently exploit the same categories of weaknesses, such as unprotected credentials, vendor dependencies, insufficient access controls and gaps in detection. The five incidents below illustrate exactly how breaches happen and what security teams must address when building a data breach response plan capable of withstanding them.

In September 2025, attackers gained access to auto manufacturer Jaguar Land Rover’s network through stolen credentials harvested from a third-party contractor. From there, they moved laterally to deploying ransomware across core IT systems, forcing the company to shut down all production.

The real-world consequences were immediate and far-reaching. The firm’s UK plants produced zero vehicles for several weeks, with total UK car production falling by 27 percent in September. The Cyber Monitoring Centre estimated total economic damage at £1.9 billion, making it the most financially damaging cyberattack in UK history, while JLR itself reported £196 million in direct costs. Over 5,000 supplier businesses were disrupted, prompting the UK government to step in to stabilize the supply chain.

Key takeaways from this attack include:

• Enforce strict access governance for all third-party contractors.
• IT and operational systems must be treated as equally critical, as a digital breach can halt physical production entirely.
• Resilience planning must account for the cascading impact on dependent suppliers.

On February 12th 2024, ransomware group ALPHV/BlackCat accessed the systems of Change Healthcare, a US health payment processing company, using stolen credentials on a remote access portal that had no multifactor authentication (MFA) in place. Attackers then spent days moving laterally through the network before deploying ransomware on February 21st, exfiltrating an estimated 6TB of sensitive patient data.

Change Healthcare processes around 40 percent of all US medical claims, so the consequences of its systems going offline disrupted pharmacy services, claims processing and billing nationwide. The company paid a $22 million ransom to get back up and running and advanced billions to providers unable to process payments during the outage.

Considerations for businesses from this attack include:

• MFA must be enforced on every remote access portal, without exception.
• Acquired systems and legacy infrastructure must be audited and brought up to security standards promptly.
• Network segmentation limits lateral movement once an attacker gains initial access.

Cryptocurrency exchange Coinbase disclosed in May 2025 that cybercriminals had gained access to its systems by bribing a group of overseas customer support contractors to steal customer data. This meant no malware, stolen credentials or technical exploits were required.

The breach began as far back as December 2024 and exposed personal data belonging to around 69,000 customers. Estimated costs from the incident reached as high as $400 million, though Coinbase refused to pay the $20 million ransom demand.

This highlights how insider threats, whether driven by carelessness, malice or bribery, are among the hardest attack vectors to detect, precisely because the access being exploited is legitimate. Third-party employees with access to sensitive systems present a particular challenge.

Businesses should consider the following defenses against insider threats:

• Apply the principle of least privilege so third-party contractors only ever access the data their role strictly requires.
• Behavioral monitoring can detect unusual access patterns before data leaves the organization.
• Anti data exfiltration tools provide a critical last line of defense when access controls alone are insufficient.

On June 3rd 2024, Russian cybercriminal group Qilin targeted Synnovis, a pathology services provider for NHS trusts across south-east London. The ransomware attack both encrypted systems and exfiltrated data. The knock-on effects meant trusts had to fall back on slow, paper-based processes, directly affecting care across the UK capital.

Over 10,000 appointments were cancelled and the attack was later confirmed as a contributing factor in a patient’s death, making it one of the first publicly confirmed cases of a cyberattack directly linked to loss of life. Synnovis reported £32.7 million in direct costs and, when it refused to pay the $50 million ransom, Qilin leaked 400GB of sensitive patient data publicly.

Businesses operating in regulated, high-stakes sectors must recognize:

• Vendor contracts must include enforceable cybersecurity standards. A supplier vulnerability can take down every organization that depends on them.
• In sectors where services directly affect human welfare, the bar for cybersecurity investment must reflect the potential consequences of failure.
• Continuity planning must account for total loss of third-party services, not just partial disruption.

In mid-2024, telecommunications giant AT&T discovered that call and text message records belonging to nearly 110 million customers had been stolen from its Snowflake cloud environment. AT&T was not the only firm affected – at least 160 organizations were compromised in the same campaign, in which attackers used stolen credentials to access accounts. While the platform itself was not breached, the vulnerability lay entirely in how customers like AT&T had configured their accounts.

This highlights how moving data to a cloud platform does not transfer security responsibility to the provider. AT&T still owned the data and was ultimately responsible for securing access to it.

Key considerations for businesses storing data in the cloud:

• Understand the shared responsibility model. While cloud providers secure the platform, customers are responsible for access controls and configuration.
• Storing sensitive data in the cloud without a clear internal owner for its security creates accountability gaps.
• Credentials must be regularly audited and rotated, particularly those held by contractors or third parties.

The causes of these breaches vary, from stolen credentials and insider threats to vendor dependencies and misconfigured cloud environments. However, the outcomes are strikingly consistent. Ransomware and data exfiltration feature across almost every major incident, regardless of sector or attack vector, driving significant financial and reputational damage.

Prevention will always be preferable to response, but no security posture is perfect. While a clear and tested data breach response plan may not have prevented these incidents, it would have limited the damage in each case.

What is the difference between a security breach and a data breach?
A security breach is any unauthorized access to systems or networks. A data breach is a specific type of security breach where sensitive data is accessed, stolen or exposed.

Which industries experience the most security breaches?
Healthcare, financial services and critical infrastructure are the most targeted sectors, though no industry is immune. Any organization holding valuable or sensitive data is a potential target.

What are the most common causes of security breaches?
Stolen or weak credentials, unpatched vulnerabilities, phishing, insider threats and third-party vendor weaknesses are among the most frequently exploited entry points.

How can businesses learn from past security breaches?
By studying real-world incidents, identifying the weaknesses exploited and auditing their own controls against the same vulnerabilities before an attack occurs.

What steps help prevent security breaches in organizations?
Enforce MFA, apply least-privilege access, conduct regular security audits, train staff on threats, deploy anti data exfiltration technology and maintain a tested incident response plan.

What are the most common consequences of a data breach?
Operational downtime, regulatory fines, legal costs and reputational damage are the most immediate impacts. Longer-term consequences include civil litigation, lost contracts and higher insurance premiums.

How do data breaches affect a company’s reputation?
Significantly and often lastingly. Delayed or poor disclosure accelerates the damage. Research consistently shows a material proportion of consumers will stop using a company’s services following a breach.

What financial losses can businesses face after a data breach?
IBM’s 2025 report puts the average US breach cost at $10.22 million. Indirect expenses, such as lost contracts, higher insurance premiums and increased borrowing costs can push the total considerably higher.

Can a company recover from a major data breach?
Most can, but recovery depends on response quality. Businesses with tested plans and cyber insurance fare better. A significant proportion of small firms hit by a serious breach fail within six months.

How long do the effects of a data breach typically last?
Immediate disruption may resolve within weeks, but litigation, regulatory investigations and reputational damage can persist for years. Class-action lawsuits routinely take several years to reach settlement.

What steps can businesses take to minimize breach consequences?
Invest in preventive controls, staff training and proactive monitoring. Have a tested response plan, cyber insurance and pre-drafted notification templates ready before an incident occurs.